AfterDawn: Tech news

Code shown to exploit Xbox 360 security

Written by James Delahunty (Google+) @ 01 Mar 2007 7:20 User comments (13)

Code shown to exploit Xbox 360 security An anonymous hacker has discovered a way to hack Microsoft's Xbox 360 console in a way that could have allowed an alternative operating system to run on the hardware. For the hack to work, physical access to the hardware is required to take advantage of a vulnerability in the Xbox 360 hypervisor.
The hypervisor provides encryption and decryption services for the console, and controls access to memory. This ensures that all games and other code run on the console need to be cryptographically signed with Microsoft's private key and run in non-privileged read-only mode.

Flaws in the interaction between unprivileged code and the hypervisor led to the groundwork for the hack. The hacker tipped off Microsoft about the problem and the company quickly produced a patch. Proof of concept code and details were published on BugTraq on Wednesday.

Critical (Unsigned Code Execution in Hypervisor Mode)


Systems Affected:
All Xbox 360 systems with a kernel version of 4532 (released Oct 31, 2006) and 4548 (released Nov 30, 2006). Versions prior to 4532 are not affected. Bug was fixed in version 4552 (released Jan 09, 2007 - not a Patch Tuesday).

We have discovered a vulnerability in the Xbox 360 hypervisor that allows privilege escalation into hypervisor mode. Together with a method to inject data into non-privileged memory areas, this vulnerability allows an attacker with physical access to an Xbox 360 to run arbitrary code such as alternative operating systems with full privileges and full hardware access.

Technical details:
The Xbox 360 security system is designed around a hypervisor concept. All games and other applications, which must be cryptographically signed with Microsoft's private key, run in non-privileged mode, while only a small
hypervisor runs in privileged ("hypervisor") mode. The hypervisor controls access to memory and provides encryption and decryption services.

The policy implemented in the hypervisor forces all executable code to be read-only and encrypted. Therefore, unprivileged code cannot change executable code. A physical memory attack could modify code; however, code memory is encrypted with a unique per-session key, making meaningful modification of code memory in a broadly distributable fashion difficult. In addition, the stack and heap are always marked as non-executable, and therefore data loaded there can never be jumped to by unprivileged code.

Unprivileged code interacts with the hypervisor via the "sc" ("syscall") instruction, which causes the machine to enter hypervisor mode. The vulnerability is a result of incomplete checking of the parameters passed to the syscall dispatcher, as illustrated below.
Read the rest of the technical details at

The Register

More Recent Gaming News


BioShock release set for August Mar 01, 2007
Take-Two enters settlement for Hot Coffee Mar 01, 2007
Sony: 1000 PS2 games backwards compatible with Euro PS3 Mar 01, 2007
Sony confirms price of UK PS3 downloads Feb 28, 2007
Sony aims to resolve PS3 shortages by May Feb 27, 2007
Sony Australia boss talks about PS3 price Feb 27, 2007
Disney teams up with Macrovision for game downloads Feb 27, 2007
Microsoft changes to Wii strategy Feb 27, 2007
European PS3 titles priced Feb 26, 2007
Best Buy sale, $2 video games Feb 26, 2007

Previous Next  

13 user comments

11.3.2007 7:24

knew about this

they where talking about it on a german video that showed a hacker hacking the 360 to run a screen saver that said mac osx and linux soon

21.3.2007 7:55

I had thought that was just modified King Kong running on hacked DVD drive firmware?

31.3.2007 9:19

To bad that hacker gave his goods away to M$. But I bet he made an ass load of cash.

41.3.2007 9:30

I read of rumors that the German video was made with the King Kong modified shaders. I had hoped that it was indeed a true hack. This might be it. Just because this hacker left the cat out of the bag to M$ doesn't mean the exploit can't be reproduced. seriously I doubt he was paid anything

51.3.2007 13:07

It's early days but I just hope the XBox 360 can become as good an allround media player as the mk1 XBox was.

61.3.2007 19:54

hmmmm someone already h4ck0rzd the PS3 Hypervisor to d/l games onto the HDD. aka b00tloader for PS3. now they've taken the same concept & applied to the Xbox360.
Sweet :)

72.3.2007 8:57

xhardc0re to self: I 4|\/| $0 |<3\/\/l 83c@u53 1 C4|\| U$E LE3+

Most other people to themselves: j00 @Re 50 |<3\/\/l U5iNG L33t$P34k 1N 4 PUbl1c PH0Ru|\/|...|\|Ot!

sorry just a pet peeve of mine.

82.3.2007 10:48

Originally posted by duckNrun:
xhardc0re to self: I 4|\/| $0 |<3\/\/l 83c@u53 1 C4|\| U$E LE3+

Most other people to themselves: j00 @Re 50 |<3\/\/l U5iNG L33t$P34k 1N 4 PUbl1c PH0Ru|\/|...|\|Ot!

sorry just a pet peeve of mine.

u seem to have a lot of pet peeves buddy. where's some actual content in your msg about the story? having a bad day? :( :( :(

92.3.2007 11:09

lol actually not a bad day at all, just hate to see leet in a public forum knowing that most people cant read it. Seems pointless, like posting french in an all english forum.


103.3.2007 4:02

... OK, righty-o. Anyway, It would have been cool to see this exploit built on and expanded. Imagine the possibilities!! This could have been the first X360 mod... looks like my waiting period to buy one is extended :(

113.3.2007 11:45

x hardcore said: you are so lame using leetspeak in a public forum...not!
yea ur cool

126.11.2007 12:25

xhardc0re to self: I 4|\/| $0 |<3\/\/l 83c@u53 1 C4|\| U$E LE3+ = i am so cool i can use leet
Thats one out of many. the real question is how he was able to get as far as he did.

139.11.2007 6:27

This is very old news.

Comments have been disabled for this article.

News archive